(SM Support Tip): Working with mandatory parameter encryption in SM 9.50 and above
Since Service Manager 9.50, a set of parameters with authentication data is automatically encrypted at startup and sm.ini file updated (when not already encrypted).
The encryption key is stored in parameter smmasterkey parameter at the beginning of the sm.ini file, that is not to be updated manually.
This mechanismn is documented here: SM 9.52 Documentation > Randomly generated master keys
As all these parameters encrypted by smmasterkey relate to credentials, it is best practice to replace smmasterkey value by “<>” before sending sm.ini to external recipients without requirement to access the systems (i.e. Micro Focus support) for security reasons.
An encrypted parameter is identified in sm.ini by a asterix prefix.
Example of unencrypted parameter:
Example of encrypted parameter:
However, there are two kinds of encrypted parameters:
smmasterkey mechanismn applies to following parameters and will be applied automatically
All other parameters can by manually encrypted using the older encryptionkey mechanismn (see SM 9.52 Documentation > Startup parameter encryptionkey).
When working with sm.ini files on multiple SM application servers, this now generates requirements to the procedure of applying new sm.ini files i.e. at migration from older SM version to SM 9.50 or later.
We like to propose following procedure as best practice:
- Prepare sm.ini template with all parameters of the set listed above unencrypted and without smmasterkey parameter
- Copy this sm.ini template to all SM application hosts and edit copy when hosts specific settings should be required
- Start up Service Manager and verify that all sm.ini files are encrypted now correctly.
* As the smmasterkey parameter is generated randomly, the encrypted values of first kind are expected to differ on each application host.
* As the parameters of the second type depend on encrpytionkey parameter, this can already by applied before to the sm.ini template or later. These parameters may be the same on each application host, when encryptionkey is the same.
When there is an issue with smmasterkey, we expect following message in the sm.log file:
RTE E EVP_CipherFinal_ex failed in desDecryptWithAES256CBC()
RTE E [OPENSSL] error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
These messages appear at the very beginning of the session log or related to a specific parameter when its encrypted value cannot be decrypted.
Note: OpenSSL is also used by SM RTE like LDAP connection, and query hash processing, so similar error messages may also appear in such contexts.